An Examination of the
Windows Vista
VBR ( Volume Boot Record )
or Boot Sector
[ Embedded in untfs.dll,
winsetup.dll and
various other
System files; see Introduction ]
Web Presentation and Text are Copyright©2009, 2012, 2015 by Daniel B. Sedory
NOT to be reproduced in any form without Permission of the Author !
|
This page examines Windows™ Vista's Volume Boot Record (VBR); which
we consider to be only the first sector of the system area at the beginning of a Vista OS volume. The BOOTMGR Loader code, immediately following the
VBR, spans across the boundaries of eight more sectors: Seven full 512-byte sectors, plus 40 bytes at the beginning of the eighth sector. This structure
is quite similar to the layout of the Windows XP VBR and its NTLDR
Loader code. |
Other Microsoft OS Volume Boot Records:
An Examination of the Windows 95B/98/98SE/Me OS Boot Record (MSWIN4.1)
An Examination of the Windows 2000/XP OS Boot Record (NTFS)
An Examination of the Windows 7 OS Volume Boot Record (NTFS)
A Comparison of Windows™ Vista, 7 and 8 VBR Code
And Microsoft MBR pages:
An Examination of the Standard MBR created by MS-DOS FDISK
The MBR created by Windows 95B/98/98SE and ME's FDISK
The MBR created by Windows 2000/XP/2003 Installs or Disk Management Utility
The MBR created by Windows 7 OS Installs or Disk Management Utility
Confused? Send us an email if you have a specific question about the MBR
or any Boot Records...
Just as we urged readers of our Vista
MBR page to make a copy of their MBR sector, you may wish to create copies of your Vista VBR. Though more difficult to work with;
considering all the details stored in this sector, there may come a time when you need/want to edit or replace this and other system sectors manually.
Some advice: Save all the data from the BIOS Parameter Block (BPB) area of the sector somewhere apart from your main
hard disk or write it down on paper(!); it does no good to have data you might need to access your OS on the un-accessible HD itself!
There are many ways you can do this... See our MBR Tools Page. Any good Disk Editor will allow
you to manually enter data you've written down, or you can use a number of utility programs to save the binary data to a file on say a thumb drive, and
later on restore the VBR and other sectors from the saved file(s). |
Introduction
This page examines the Windows™ Vista OS Volume Boot Record code; the code which
actually tests and begins to load a Windows™ Vista operating system from within the OS volume.
For our Windows™ Vista install, all the code bytes of Vista's Volume Boot Record
sector were also found inside the following files (listed by location, alphabetically; with offset to first byte of the code). In each case, there will be a
full 512 bytes that comprise the VBR sector, but locations for the Volume Serial Number and other vital data in the BPB area are all
zero-filled in these 'template' files; the correct data being entered when the file is copied to disk by the installation program or operating system. The
last two bytes will always be a 55h followed by an AAh:
Note: The code for the whole Vista Boot Record actually spans across 9 sectors;
including the one we're examining here, plus 40 bytes in the ninth one, for a total of 4,136 bytes. Technically, the Boot Record area is a full 16 contiguous
sectors; the remainder being all zero bytes.
1. C:\Windows\System32\autochk.exe [Offset: 616B0h]; immediately followed by all 3,624 bytes of the BOOTMGR Loader code beginning at offset 618B0h.
("Auto Check Utility"; File version: "6.0.6000.16386 (vista_rtm.061101-2205)"; 640,000 bytes; Modification Date: "11/02/2006 2:44 AM").
There's also a copy of it here: C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.0.6000.16386_none_dfbd2b4dc4d6121b\autochk.exe
2. C:\Windows\System32\autoconv.exe [Offset: 64AC8h]; immediately followed by the BOOTMGR Loader code beginning at offset 64CC8h.
("Auto File System Conversion Utility"; File version: "6.0.6000.16386 (vista_rtm.061101-2205)"; 653,312 bytes; Modification Date: "11/02/2006 2:44 AM").
There's also a copy of it here: C:\Windows\winsxs\x86_microsoft-windows-convert_31bf3856ad364e35_6.0.6000.16386_none_9a9e88bfab67232b\autoconv.exe
3. C:\Windows\System32\autofmt.exe [Offset: 5F890h]; immediately followed by the BOOTMGR Loader code beginning at offset 5FA90h.
("Auto File System Format Utility"; File version: "6.0.6000.16386 (vista_rtm.061101-2205)"; 632,320 bytes; Modification Date: "11/02/2006 2:44 AM").
There's also a copy of it here: C:\Windows\winsxs\x86_microsoft-windows-autofmt_31bf3856ad364e35_6.0.6000.16386_none_e3bd7ae1c2430704\autofmt.exe
4. C:\Windows\System32\untfs.dll [Offset: 49E00h]; immediately followed by the BOOTMGR Loader code beginning at offset 4A000h.
("NTFS Utility DLL"; File version: "6.0.6000.16386 (vista_rtm.061101-2205)"; 321,536 bytes; Modification Date: "11/02/2006 2:46 AM").
There's also a copy of it here: C:\Windows\winsxs\x86_microsoft-windows-f..mutilityntfslibrary_31bf3856ad364e35_6.0.6000.16386_none_fc8cf5d0f7021a0d\untfs.dll
5. C:\Windows\System32\oobe\winsetup.dll [Twice. Offsets: 12DAB8h and 130CE0h]; which are both immediately followed by the BOOTMGR Loader code (at offsets 12DCB8h and 130EE0h).
("Windows System Setup"; File version: "6.0.6000.16386 (vista_rtm.061101-2205)"; 1,374,208 bytes; Modification Date: "11/02/2006 2:46 AM").
There's also a copy of it here: C:\Windows\winsxs\x86_microsoft-windows-setup-component_31bf3856ad364e35_6.0.6000.16386_none_2ff5bc52b05737c3\winsetup.dll.
Like all previous MS Boot Records, the first three bytes are often called the Jump Instruction. But
only the first two bytes (EB 52 in this case) are actually used to form the actual JMP (Jump) code to the rest of the executable x86 (PC) Assembly code; the third byte (90h) is just a NOP ('No Op' or do nothing)
instruction. The next 8 bytes are the "OEM ID" or System Name ("NTFS"
and four blank spaces) for an NTFS volume; followed by the BPB (BIOS Parameter
Block).
Just like the _ BPB _
area for the Windows™ XP Volume Boot Record sector, this one also has all the fields that an NTFS volume has in common with FAT16 and
FAT32 Boot Records; such as Bytes per Sector, Sectors per Cluster, etc. and even the old Media Descriptor byte (F8), but again,
this one does not contain "System ID" or "Volume Label" fields, nor any system file names. However, if you can
locate "bootmgr" on your system and dig into its code, you will find a number of system file names,
such as winload.exe and BCD in there.
All the elements of a Vista VBR's _ BPB _ area are the same as those for earlier NTFS boot records (for details on the NTFS BPB, see our NTFS Boot Record page).
About the only thing a technician might want to brush up on is the fact a fresh Vista OS install will have 2,048 reserved sectors at the
beginning of the disk ("00 08 00 00" between brackets at offsets 1Ch-1Fh below; 0x800 = 2048).
The following is a disk editor view
of how the bytes of this VBR are stored on a hard disk in the first sector of a Windows Vista OS volume:
Relative Sector 0 (within the Volume)
NTFS BPB "OEM ID"
| |
0 1 2 3 4 5 6 7 8 9 A B C| D E F |
0000: EB 52 90 4E 54 46 53 20 20 20 20 00 02 08 00 00 .R.NTFS .....
0010: 00 00 00 00 00 F8 00 00 3F 00 FF 00[00 08 00 00] ........?.......
0020: 00 00 00 00 80 00 80 00 FF EF 3F 01 00 00 00 00 ..........?.....
0030: 04 00 00 00 00 00 00 00 FF FE 13 00 00 00 00 00 ................
0040: F6 00 00 00 01 00 00 00 6B E5 F9 78 1A FA 78 EA ........k..x..x.
0050: 00 00 00 00 FA 33 C0 8E D0 BC 00 7C FB 68 C0 07 .....3.....|.h..
0060: 1F 1E 68 66 00 CB 88 16 0E 00 66 81 3E 03 00[4E ..hf......f.>..N
0070: 54 46 53]75 15 B4 41 BB AA 55 CD 13 72 0C 81 FB TFSu..A..U..r...
0080: 55 AA 75 06 F7 C1 01 00 75 03 E9 D2 00 1E 83 EC U.u.....u.......
0090: 18 68 1A 00 B4 48 8A 16 0E 00 8B F4 16 1F CD 13 .h...H..........
00A0: 9F 83 C4 18 9E 58 1F 72 E1 3B 06 0B 00 75 DB A3 .....X.r.;...u..
00B0: 0F 00 C1 2E 0F 00 04 1E 5A 33 DB B9 00 20 2B C8 ........Z3... +.
00C0: 66 FF 06 11 00 03 16 0F 00 8E C2 FF 06 16 00 E8 f...............
00D0: 40 00 2B C8 77 EF B8 00 BB CD 1A 66 23 C0 75 2D @.+.w......f#.u-
00E0: 66 81 FB 54 43 50 41 75 24 81 F9 02 01 72 1E 16 f..TCPAu$....r..
00F0: 68 07 BB 16 68 70 0E 16 68 09 00 66 53 66 53 66 h...hp..h..fSfSf
0100: 55 16 16 16 68 B8 01 66 61 0E 07 CD 1A E9 6A 01 U...h..fa.....j.
0110: 90 90 66 60 1E 06 66 A1 11 00 66 03 06 1C 00 1E ..f`..f...f.....
0120: 66 68 00 00 00 00 66 50 06 53 68 01 00 68 10 00 fh....fP.Sh..h..
0130: B4 42 8A 16 0E 00 16 1F 8B F4 CD 13 66 59 5B 5A .B..........fY[Z
0140: 66 59 66 59 1F 0F 82 16 00 66 FF 06 11 00 03 16 fYfY.....f......
0150: 0F 00 8E C2 FF 0E 16 00 75 BC 07 1F 66 61 C3 A0 ........u...fa..
0160: F8 01 E8 08 00 A0 FB 01 E8 02 00 EB FE B4 01 8B ................
0170: F0 AC 3C 00 74 09 B4 0E BB 07 00 CD 10 EB F2 C3 ..<.t...........
0180: 0D 0A 41 20 64 69 73 6B 20 72 65 61 64 20 65 72 ..A disk read er
0190: 72 6F 72 20 6F 63 63 75 72 72 65 64 00 0D 0A 42 ror occurred...B
01A0: 4F 4F 54 4D 47 52 20 69 73 20 6D 69 73 73 69 6E OOTMGR is missin
01B0: 67 00 0D 0A 42 4F 4F 54 4D 47 52 20 69 73 20 63 g...BOOTMGR is c
01C0: 6F 6D 70 72 65 73 73 65 64 00 0D 0A 50 72 65 73 ompressed...Pres
01D0: 73 20 43 74 72 6C 2B 41 6C 74 2B 44 65 6C 20 74 s Ctrl+Alt+Del t
01E0: 6F 20 72 65 73 74 61 72 74 0D 0A 00 00 00 00 00 o restart.......
01F0: 00 00 00 00 00 00 00 00 80 9D B2 CA 00 00 55 AA ..............U.
0 1 2 3 4 5 6 7 8 9 A B C D E F
|
Figure 1.
The last 128 bytes of this Boot Record contain Error Messages, Message Offset bytes and the Word-sized signature ID (or Magic number)
of AA55h. Remember that hex Words (numerical data requiring more than a single byte) for Intel
x86 CPUs are always stored in memory with the Lowest-byte first and the Highest-byte last to make CPU processing quicker.
Each Error Message begins with the Hex bytes 0Dh and 0Ah; a Carriage Return and Line Feed, and ends with a 00h byte which makes these what's commonly known in various programming languages as
zero-terminated or 'sz' strings (a character string followed by a single zero byte). The error messages are exactly the same
as those under Windows XP, except 'NTLDR' has been replaced by "BOOTMGR".
Note that the string of letters ("TCPA")
at offsets E3h through E6h are not coincidental; they stand for "Trusted Computing Platform Alliance"
and are actually part of the code which tests for the existence of a TPM chip. If the hardware supports TPM (Trusted
Platform Module) version 1.2, then it can be used to provide extra functionality for Vista's BitLocker™ Drive Encryption.
Neither are the bytes at offsets 6Fh through 72h a coincidence. The characters ("NTFS")
are used in the code to check for an "OEM ID" of that name, and display "A disk read error occurred" if that
string is not found (at offset 0003).
The eight physical sectors directly following a Windows™ Vista NTFS Boot
Sector, contain code which can interface with the older NTLDR file (in order to boot up Windows™ NT,
2000, XP, 2003 OS partitions) plus code to interact with the new BOOTMGR (boot manager)
program introduced with the Vista OS. This code is still necessary when booting up a Windows™ OS (even though the
bootmgr or NTLDR files may have been copied to the OS partition you start booting up from; as would be the
case if, for example, you installed Windows™ Vista on a disk already containing a bootable Win 98 OS in the
first partition followed by Vista's partition). When the code in such an altered volume boot record is executed, it will
look for, and require the existence of, the Windows™ XP or Vista OS partition's system code in order to boot-up the
original Windows™ 98 OS (cf. FAT32 Boot Record under Windows NT OSs).
The four bytes at offsets 1F8h through 1FBh
("80 9D B2 CA") are used by the Microsoft Windows™ Vista
VBR for a very specific purpose; for English versions of Windows Vista, you'll always see these same
Hex values ("80 9D B2 CA") in your VBR. They're used by the code to display Error Message
on your screen. But for those using Windows™ Vista in a different language, their VBRs may have different values
in the second, third and fourth bytes depending upon how many characters are in each of the messages. In the
disassembled code, we'll point out where these values show up. In any case, since the code portion above the messages
will always be the same, the first offset (0180h)
will never change no matter what languages (or string lengths) are used.
Now that you know what the bytes at offsets 1F8h through 1FBh are
used for, you could change these error messages to display whatever you wish (as long as they all fit into the space between offsets
180h and 1F7h) by counting the character lengths and using a disk editor to change the appropriate bytes in the VBR sector.
After the code in your hard disk's MBR sector transfers control to this Volume Boot Record
code, it will test critical aspects of the Vista operating system, then load and run the BOOTMGR Loader (or "bootstrap") code which will
eventually run the actual "bootmgr.exe" program that finally attempts to load an operating system!
An Examination of the Assembly Code
You can learn a great deal about the instructions used here by obtaining the x86 Opcode
Windows Help file and Ralf Brown's Interrupt List from our Intro to Assembly page.
Here's a Listing of the disassembled code (; with comments) after first being loaded into
Memory at 0000:7C00 by the Windows Vista MBR code. Until noted, the instructions below are referenced to a CS (Code Segment) of 0000. If
you see an asterisk (*) next to an instruction, it means MS-DEBUG can not disassemble its code; you'd only see "DB nn" displayed.
7C00 EB52 JMP 7C54 ; Jump over BPB (BIOS Parameter
; Block) to code at 0x7C54.
7C02 90 NOP
; 7C03 thru 7C0A 'NTFS ' 8-byte System Name or OEM ID. (Some think
; this is part of the BPB; it's not!)
; 7C0B thru 7C53 BIOS Parameter Block (BPB) Compare with XP VBR here.
; 0 1 2 3 4 5 6 7 8 9 A B C D E F
7C03 4E 54 46 53 20 20 20 20 00 02 08 00 00 NTFS .....
7C10 00 00 00 00 00 F8 00 00 3F 00 FF 00 00 08 00 00 ........?.......
7C20 00 00 00 00 80 00 80 00 FF EF 3F 01 00 00 00 00 ..........?.....
7C30 04 00 00 00 00 00 00 00 FF FE 13 00 00 00 00 00 ................
7C40 F6 00 00 00 01 00 00 00 6B E5 F9 78 1A FA 78 EA ........k..x..x.
7C50 00 00 00 00 ....
7C54 FA CLI ; Disable maskable Interrupts.
7C55 33C0 XOR AX,AX ; Zero out both the Accumulator
7C57 8ED0 MOV SS,AX ; and Stack Segment Registers.
7C59 BC007C MOV SP,7C00 ; Set Stack Pointer to 0000:7C00
7C5C FB STI ; Enable Interrupts again.
; NOTE: The code here simply changes the Segment reference for locations in
; memory. It switches the Segment from 0000 to 07C0 when RETF is executed
; at 0000:7C65. The next instruction, at 07C0:0066, is the same location
; as linear address 0x7C66 (or, 0000:7C66).
7C5D 68C007 * PUSH 07C0 ; New segment ref. to be used for
7C60 1F POP DS ; both Data (DS = Data Segment)
7C61 1E PUSH DS ; . . .
7C62 686600 * PUSH 0066 ; and Code segments . . .
7C65 CB RETF ; after this RETF instruction.
So, all Code (CS) and Data (DS) Segments in the instructions which follow are in reference to
Segment 07C0. This means the next instruction is, technically: 07C0:0066 (only the "Offsets" are shown below). Note,
however, in debuggers, such as BOCHS, which use only Linear Memory addressing, these will still be displayed 0x7C66 and following.
0066 88160E00 MOV [000E],DL ; DL = Drive # (often 80h).
; (See Vista's MBR code here.)
006A 66813E0300+ * CMP DWORD PTR [0003],5346544E ;/ -> "NTFS"
4E544653
;| Check to see if this is an NTFS Boot Record, and if not display...
0073 7515 JNZ 008A ;\ ... Disk read error -> 015F.
; NOTE: Vista must be run on a computer with INT 13 Extensions!
; ======================================================================
0075 B441 MOV AH,41 ;/ Function 41h (with BX=55AAh):
0077 BBAA55 MOV BX,55AA ;| Checks for INT 13 Extentions
007A CD13 INT 13 ;| in BIOS. If CF flag cleared
;| and [BX] changes to AA55h, they are installed; Major version is in
;| AH: 01h=1.x; 20h=2.0/EDD-1.0; 21h=2.1/EDD-1.1; 30h=EDD-3.0.
;| CX = API subset support bitmap. If bit 0 is set (CX is 'odd' number),
;| extended disk access functions (AH=42h-44h,47h,48h) are supported.
;\ So, only if _no_ extended support is available, will it fail.
007C 720C JB 008A ; If CF flag not cleared, then
; declare 'Disk error' -> 015F.
007E 81FB55AA CMP BX,AA55 ; Was [BX] changed to AA55h ?
0082 7506 JNZ 008A ; If not, 'Disk error' -> 015F.
0084 F7C10100 TEST CX,0001 ; If bit 0 of CX isn't zero ...
0088 7503 JNZ 008D ; ... we Jump to 07C0:008D.
008A E9D200 JMP 015F ; If zero, -> 'error routine'.
008D 1E PUSH DS ; Save DS on Stack
008E 83EC18 SUB SP,+18 ; Make room for Buffer on Stack
0091 681A00 * PUSH 001A ; Size of Buffer = 1Ah = 26 bytes
0094 B448 MOV AH,48 ; Function 48h of INT 13 :
; "GET DRIVE PARAMETERS"
0096 8A160E00 MOV DL,[000E] ; Put Drive Number (usually 80h) in DL.
009A 8BF4 MOV SI,SP ; Put SP into SI to set up Buffer on
; the Stack for Drive Parameters.
009C 16 PUSH SS ;/ These two lines change
009D 1F POP DS ;\ DS to zero before doing INT13.
009E CD13 INT 13 ; Get Drive Parameters.
+------------------------------------------------------+
| Format of INT 13, Function 48h, DRIVE PARAMETERS: |
| |
| Offset Size Description |
| ------ ----- ------------------------------------ |
| 00h WORD (CALL) Size of Buffer (1Ah for v1.x) |
| (RET) Size of Returned Data |
| 02h WORD Information Flags, Bitfields: |
| +==================================================+ |
| | Bits Description | |
| | ---- ------------------------------------------| |
| | 0 DMA boundary errors handled transparently | |
| | 1 C/H/S Information is valid. | |
| | 2 Removable Drive. | |
| | 3 Write with verify supported. | |
| | 4 Drive has change-line support: | |
| | (Required if Drive is Removable!) | |
| | 5 Drive can be locked: | |
| | (Required if Drive is Removable!) | |
| | 6 CHS Information set to maximum supported | |
| | values; _not_ current media. | |
| | 15-7 Reserved (0). | |
| | (Bits 4-6 are only valid if bit 2 is set.) | |
| +==================================================+ |
| 04h DWORD Number of physical Cylinders |
| 08h DWORD Number of physical Heads on drive |
| 0Ch DWORD Number of physical Sectors Per Track |
| 10h QWORD Total Number of Sectors on drive |
| 18h WORD Bytes per Sector (200h = 512) |
+------------------------------------------------------+
00A0 9F LAHF ; Load Status flags into AH
00A1 83C418 ADD SP,+18 ; Change Stack Pointer to 7BFC
00A4 9E SAHF ; Save AH into flags register.
00A5 58 POP AX ; Usually 200h (512 bytes/sector).
00A6 1F POP DS ; DS goes back to 07C0.
00A7 72E1 JB 008A ; If below, 'Disk error' -> 015F
00A9 3B060B00 CMP AX,[000B] ; [0B]&[0C] (Usually) 200h = 512 Bytes per Sector.
00AD 75DB JNZ 008A ; If not zero, 'Disk error' -> 015F
00AF A30F00 MOV [000F],AX ; Copies Bytes per Sector into 7c10 to 7c0F.
00B2 C12E0F0004 * SHR WORD PTR [000F],04 ; For a 200h in 7c10 to 7c0F,
; shifts 2 into high bits of
; 7c0F; a SHR WORD,04 is the same as dividing it by 16. So 512/16 = 32 (20h).
; The binary '1' bit shifts 4 places to the right:
; 10 0000 0000 (200h) -> 00 0010 0000 (20h)
00B7 1E PUSH DS ; Save current DS on Stack.
00B8 5A POP DX ; Change DX to 7c0.
00B9 33DB XOR BX,BX ; zero-out BX register.
00BB B90020 MOV CX,2000 ; 2000h = 8192 = 16 sectors.
00BE 2BC8 SUB CX,AX ; AX=200; CX - (1 sector) = CX.
; (Sets CX from 2000 -> 1E00.)
00C0 66FF061100 * INC DWORD PTR [0011] ; Sets [0x11] = 1 (it was 0).
; The following code from 00C5 through 00D4 and the Subroutine it CALLs
; at 0112 through 015E is used to load the BOOTMGR Loader Area into
; Memory (see notes below at location D4):
00C5 03160F00 ADD DX,[000F] ; For 1st pass (of 15): 7c0 (in DX) adds
; 20h (in 7C0:000F) and becomes: 7e0.
00C9 8EC2 MOV ES,DX ; 1st pass: So, 7e0 (in DX) -> ES.
; 2nd pass: 800 goes into -> ES.
; 3rd: 820, 4th: 840, 5th: 860, 6th: 880, 7th: 8A0, 8th: 8C0, 9th: 8E0,
; 10th: 900, 11th: 920, 12th: 940, 13th: 960, 14th: 980 and 15th: 9A0.
00CB FF061600 INC WORD PTR [0016] ; [0x16] from 0 -> 1.
00CF E84000 CALL 0112
00D2 2BC8 SUB CX,AX ; 1st pass: 1e00 (in CX) - 200h = 1C00.
; 2nd pass: 1c00 (in CX) - 200h = 1A00,
; 3rd: 1800, 4th: 1600, 5th: 1400, 6th: 1200, 7th: 1000, 8th: 0E00,
; 9th: 0C00, 10th: A00, 11th: 800, 12th: 600, 13th: 400, 14th: 200. On
; the 15th pass: CX becomes zero, so the next instruction stops looping.
00D4 77EF JA 00C5 ; This loops until all 15 sectors of
(or: JNBE) ; the BOOTMGR Loader Area are copied
; from the drive to Memory locations 7E00h
; through 9BFFh; the code ends at 8C27h,
; but it's followed by 4,056 zero bytes.
; =================================================================
; This code (from 00D6 through 010B) is related to discovering if
; TPM version 1.2 interface support is operational on the system.
;
; Comments below checked with the document, "TCG PC Client Specific
; Implementation Specification For Conventional BIOS" (Version 1.20
; FINAL/Revision 1.00/July 13, 2005/For TPM Family 1.2; Level 2), §
; 12.5, pages 85 ff. 
TCG and "TCG BIOS DOS Test Tool" (MSDN).
00D6 B800BB MOV AX,BB00 ; With AH = BBh and AL = 00h
00D9 CD1A INT 1A ; Int 1A -> TCG_StatusCheck
00DB 6623C0 * AND EAX,EAX ;/ If EAX does not equal zero,
00DE 752D JNZ 010D ;\ then no BIOS support for TCG.
00E0 6681FB+ * CMP EBX,41504354 ; EBX must also return ..
54435041 ; the numerical equivalent
; of the ASCII character string "TCPA" ("54 43 50 41") as a further
; check. (Note: Since hex numbers are stored in reverse order on PC
; media or in Memory, a TPM BIOS would put 41504354h in EBX.)
00E7 7524 JNZ 010D ; If not, exit TCG code.
00E9 81F90201 CMP CX,0102 ; Version 1.2 or higher ?
00ED 721E JB 010D ; If not, exit TCG code.
; If TPM 1.2 found, perform a: "TCG_CompactHashLogExtendEvent".
; 06FD 666807BB0000 * PUSH 0000BB07 ; Setup for INT 1Ah AH = BB,
; AL = 07h command (p.94 f).
00EF 16 PUSH SS
00F0 6807BB * PUSH BB07
00F3 16 PUSH SS
00F4 68700E * PUSH 0E70
00F7 16 PUSH SS
00F8 680900 * PUSH 0009
00FB 6653 * PUSH EBX
00FD 6653 * PUSH EBX
00FF 6655 * PUSH EBP
0101 16 PUSH SS
0102 16 PUSH SS
0103 16 PUSH SS
0104 68B801 PUSH 01B8
0107 6661 POPAD
0109 0E PUSH CS
010A 07 POP ES
010B CD1A INT 1A (BIOS Clock)
; On return, "(EAX) = Return Code as defined in Section 12.3" and
; "(EDX) = Event number of the event that was logged".
; =================================================================
This is the normal "exit point" for the VBR code, where execution jumps to
Linear Memory location 0x7E7A (or 07C0:027A):
010D E96A01 JMP 027A ; To beginning of BOOTMGR Loader
; (or "bootstrap") Code in Boot
; Record Area's second sector.
0110 90 NOP
0111 90 NOP
; =============================================================
; SUBROUTINE - INT 13 Function 42h Extended DISK READ
; =============================================================
0112 6660 * PUSHAD ; "Push All Double" - all 32-bit
; GP Regs pushed onto Stack!
0114 1E PUSH DS
0115 06 PUSH ES
0116 66A11100 MOV EAX,[0011] ; 1st pass: EAX = 1.
011A 6603061C00 ADD EAX,[001C] ; 1st pass: EAX + 800h = 801h.
011F 1E PUSH DS
0120 666800000000 * PUSH 00000000
0126 6650 * PUSH EAX
0128 06 PUSH ES
0129 53 PUSH BX
012A 680100 * PUSH 0001
012D 681000 * PUSH 0010
0130 B442 MOV AH,42 ; Function 42h (INT13)
0132 8A160E00 MOV DL,[000E] ; Drive # (usually 80h) -> DL
0136 16 PUSH SS ; (which is zero)...
0137 1F POP DS ; ...changing DS to zero.
0138 8BF4 MOV SI,SP ; DS:SI -> disk address packet
013A CD13 INT 13
013C 6659 * POP ECX
013E 5B POP BX
013F 5A POP DX
0140 6659 * POP ECX
0142 6659 * POP ECX
0144 1F POP DS
0145 0F821600 * JB 015F
0149 66FF061100 * INC DWORD PTR [0011] ; 1st pass: [0x11] -> 2.
014E 03160F00 ADD DX,[000F] ; 1st pass: 7e0 + 20h = 800h.
0152 8EC2 MOV ES,DX ; DX (now 800h) goes into ES.
0154 FF0E1600 DEC WORD PTR [0016] ; [0x16] goes back -> 0.
0158 75BC JNZ 0116
015A 07 POP ES
015B 1F POP DS
015C 6661 * POPAD ; "Pop All Double" - all 32-bit
; GP Regs reset from Stack!
015E C3 RET ; Return to 00D2.
; Note: When the last character of any Error Message has been displayed on
; the screen, the instruction at offset 016B locks the computer's execution
; into an endless loop! You must reboot the machine. INT 10, Function 0Eh
; (Teletype Output) is used to display each character of the error messages.
015F A0F801 MOV AL,[01F8] ; [1F8] = 80 + 100 -> 180 h
0162 E80800 CALL 016D ; Displays: "A disk read error occurred"
0165 A0FB01 MOV AL,[01FB] ; [1FB] = CA + 100 -> 1CA h
0168 E80200 CALL 016D ; Displays: "Press Ctrl+Alt+Del to
; restart"
016B EBFE JMP 016B
; INT 10, Function 0Eh (Teletype Output) is used to display each
; character of the error messages.
016D B401 MOV AH,01 ; Adds 100h to offsets from above.
016F 8BF0 MOV SI,AX ; Offset of message -> Source Index Reg.
0171 AC LODSB ; Load one character into AL from [SI].
0172 3C00 CMP AL,00 ;/ Have we reached end of message
0174 7409 JZ 017F ;\ marker?(00) If so, then RETurn.
0176 B40E MOV AH,0E ;/ Otherwise use Teletype Output to ...
0178 BB0700 MOV BX,0007 ;| (Display page 0, normal white
;| on black characters.)
017B CD10 INT 10 ;| ... display one character at a time,
017D EBF2 JMP 0171 ;\ and go back for another character...
017F C3 RET
Location of Error
Messages and
Message Offsets in Memory
0 1 2 3 4 5 6 7 8 9 A B C D E F
0180 0D 0A 41 20 64 69 73 6B 20 72 65 61 64 20 65 72 ..A disk read er
0190 72 6F 72 20 6F 63 63 75 72 72 65 64 00 0D 0A 42 ror occurred...B
01A0 4F 4F 54 4D 47 52 20 69 73 20 6D 69 73 73 69 6E OOTMGR is missin
01B0 67 00 0D 0A 42 4F 4F 54 4D 47 52 20 69 73 20 63 g...BOOTMGR is c
01C0 6F 6D 70 72 65 73 73 65 64 00 0D 0A 50 72 65 73 ompressed...Pres
01D0 73 20 43 74 72 6C 2B 41 6C 74 2B 44 65 6C 20 74 s Ctrl+Alt+Del t
01E0 6F 20 72 65 73 74 61 72 74 0D 0A 00 00 00 00 00 o restart.......
01F0 00 00 00 00 00 00 00 00 80 9D B2 CA 00 00 55 AA ..............U.
0 1 2 3 4 5 6 7 8 9 A B C D E F
First Published: August 16, 2009. (16.08.09).
Updated: October 3, 2010. (03.10.10); March 30, 2012 (30.03.2012); May 1, 2015 (01.05.2015).
Last Update: June 1, 2015. (01.06.2015)
You can write to me using this: online reply form. (It opens in
a new window.)
The Starman's FREE TOOLS Page 
MBR and Boot Records Index
The Starman's Realm Index Page